Handle with care

It's a common experience. You're at the checkout, the cashier asks, "Do you have a loyalty card?" Why yes, you do. You scan your card, collect your points, and away you go. Easy as pie.

Every day, thousands of transactions are recorded and matched up to loyalty customer databases, which form the basis of hugely valuable marketing programs for the country's largest retailers. But how comfortable are their customers with the amount of data collected, and what it's used for?

Survey: Most people concerned about use of personal information

A survey of 280 CHOICE members has found widespread discomfort over the collection and use of their personal information through retail loyalty programs.

On a scale of one to five (one being "not comfortable at all"), 61% answered one or two when asked how comfortable they are with the type of information
collected about them. Even more were uncomfortable with the amount collected and for how long and how securely it is stored. And 84% had concerns about who businesses were sharing their information with.

The survey asked people how much they thought they knew about the information businesses collect about them: 11% of loyalty program members said they
didn't know "anything at all", with another 60% saying they only knew "a little".

Widespread ignorance of the ways customer data can be used by organisations is a boon for businesses with loyalty programs, as it allows them to trade
sometimes meagre rewards and discounts for their customer's valuable personal information.

What kind of information is being collected and shared?

Retailers want to know what you're buying, how much and how often, and what they can do to make you spend more. The more information they can collect about
your shopping habits the easier their job becomes.

That's why information like your age, gender, address, and household size is more valuable than you think. Retailers engage specialist analytics firms to
create shopper profiles to go with otherwise anonymous lists of purchased items, and wring every piece of information from the raw data that they can.

The rights and responsibilities of private businesses collecting their customers' information are laid down in the 13
Australian Privacy Principles (APPs), which form part of the Privacy Act 1988 (Cth). The APPs also detail your rights when it comes to protecting your information.

Who are businesses sharing my information with?

The sharing of information with third parties was the biggest point of concern raised in our survey.

APP 6 allows businesses to give customers' sensitive information (name, address, etc.) to third parties without consent, provided the reason they are
disclosing it is "directly related" to the reason for collecting the information in the first place, and if the customer would "reasonably expect" the
business to share it.

Retailers usually get your consent anyway, by telling you your information may be shared with "affiliates", "service providers" or "partners" in their
privacy policy, which you agree to by joining a loyalty program.

Customers of multi-business programs like Myer One and Flybuys might receive offers from businesses they have never shopped at, thanks to the sharing of
customer information between participants. The same goes for other businesses under the Wesfarmers (Coles) and Woolworths corporate umbrellas.

How safe is my personal information?

In May 2015 Woolworths was left red-faced by a data leak in which the names and email addresses of thousands of customers was mistakenly sent to over 1000 people outside the company. At the time the supermarket
blamed the breach on a "technical fault", but declined to elaborate.

Businesses have a legal obligation to protect the information they gather about their customers, and to inform them if their data might be sent overseas
and, ideally, to which countries.

Ultimately, it is the responsibility of businesses to ensure that international third parties to which they disclose their customers' information conform
to the APPs.

Worryingly, there is currently no requirement in the APPs for businesses to inform their customers of personal information security breaches, although the
federal government is currently considering legislation to
make mandatory the reporting of data breaches where there is "real risk of serious harm" to affected individuals.

How much data are they collecting?

Nearly two-thirds of respondents were uncomfortable with the amount of their personal information that was being collected. Legally, though, businesses are
required to be upfront about what they collect, and give you complete access to it.

APP 12 requires an organisation to provide individuals with information held about them on their request, subject to certain conditions.

The major supermarket loyalty programs only give customers access to the date and value of their transaction history. However, we know retailers keep
detailed records of each loyalty customer's purchases, which they don't make available to customers unless they request it.

An expert from the Office of the Australian Information Commissioner said that while the transaction history possibly came under the definition of personal
information, any conclusions businesses arrived at from analysing this data probably did not.

How long do they keep my personal information?

Organisations are only allowed to hold on to personal information for as long as it can be used for the reasons it was collected. Once they no longer need
it, they must either destroy the information or anonymise it.

If you leave a loyalty program, businesses must disconnect anything that can be used to identify you (your name and address) from your shopper profile.

The protections established in the APPs do not apply to anonymised information. Businesses can keep non-identifying features, like your age, gender, and
postcode, and continue to use information they have collected about your shopping habits to inform their marketing decisions.

What do people want in a loyalty program?

We asked 280 CHOICE members what they look for in loyalty programs.

No surprises – people are interested in rewards points and immediate discounts at the
checkout, with seven in ten respondents saying these were important features in a loyalty program. Even more said it was important that points were easy
and quick to accumulate.

90% said they valued having no expiry date on the rewards they accrued.

People were less impressed with personally tailored discounts and offers – which was surprising, considering this sort of targeted advertising is the very
point of a loyalty program. A third of respondents said they didn't care for members-only discounts.

A quarter weren't impressed with being offered a
variety of ways to earn points.

These results suggest shoppers are looking for simplicity and value in a loyalty program. "Purchasing goods and services has become a jungle and there are
too many programs," said one respondent. "The rewards are too complex and too small to be worth the brain time required to process."